Back to Blog

How to Conduct Reference Checks with GDPR Compliance

How to Conduct Reference Checks with GDPR Compliance

In September 2017 we shared a seven-step checklist for HR professionals preparing for the introduction of GDPR. 

But with the GDPR regulation coming into play on the 25th of May, we’re addressing a burning question. 

What does the GDPR mean for the reference checking process specifically?

The good news is, the principles of GDPR are really no different from existing data privacy regulations….but the stipulations will be a lot less flexible and the liability for non-compliance far greater. 

So how do we approach reference checking in a GDPR world?

1. Keep candidates in the loop 

While we talk about this regularly from a candidate experience perspective when it comes to GDPR, keeping candidates informed is not just a “nice to have” but a legal requirement. 

As soon as a candidate applies for a role, they must be aware of every background check you plan to take on them and provide consent for you to do so (the meaning of consent is covered in more detail in our checklist). 

Of course, if they do not provide consent for you to carry out certain checks, you can terminate their application on the grounds that it is a requirement of your recruitment process.

2. Know your limits 

The GDPR guidelines outline a number of factors that would deem a data gathering process of “legitimate interest”.

You need to ensure that the information you plan to collect from a reference check:

  • Relates to informing a contractual decision
  • Meets industry compliance  
  • Is in the public's interest

You should also be confident that the process itself doesn’t go beyond reasonable privacy expectations, by asking questions that are personal, discriminatory or have little or no impact on an individual's performance in the workplace.

3. Delete data for non-recruits 

Data destruction is a major focus of the GDPR and something that sets it a little further apart from previous data privacy directives. 

It requires organisations to keep data only as long as they need to, and to delete it securely, completely and with evidence of having done so when appropriate. 

In the context of reference checking, the very obvious point at which a candidate’s data must be deleted is when they are no longer in the running for a role.

Otherwise, for those that are recruited, reference data must be securely stored and destroyed at the request of the individual. 

4. Stay away from social 

Unless you’ve asked for consent to pull down data from an individual’s social media profiles, you’re best to avoid trying to do so as part of your background checking process. 

Organisations must consider whether the information is relevant to the performance of the job, and that legal ground is required for processing the data. such as “legitimate interest” (as discussed above). 

Given social media profiles are largely personal accounts - with the exception of LinkedIn, perhaps - it would be difficult to justify using data from them to inform a business decision. 

GDPR applies to all companies processing the personal data of subjects residing in the European Union, regardless of the company’s location. It’s impact will be global so at least a basic understanding of it is necessary for HR professionals outside of EU countries. 

If you’re still feeling a bit lost, check out our checklist to get up to speed with the priorities for HR professionals. 

We’re proud to offer our clients the assurance of a fully GDPR compliant reference checking process, so they don’t have to worry about overstepping any of the new boundaries that will come into place on 25 May.

Discover how Xref can revolutionise referencing for your business

Speak with us


  • Get HR & Tech insights
  • Be the first to know about Xref events
  • Free downloadable content

Thank you for subscribing! Stay tuned for the next edition (we publish about once a month).


What is Xref?

Xref is a secure, mobile-friendly reference checking platform that significantly reduces time-to-hire and helps protect against candidate fraud.

GDPR: Are You Ready?

Request Demo